html escape attribute keys also

stckme · Feb 12, 2024 · 639c831 · 639c831
1 parent 86b85d5
commit 639c831
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/tiptapy/__init__.py b/tiptapy/__init__.py
@@ -69,13 +69,16 @@ def escape_values_recursive(node):
     html_key = "html"  # key to look for html content
     if isinstance(node, dict):
         for k, v in node.items():
-            if k == html_key:
+            esc_k = escape(k)
+            if k != esc_k:
+                node[esc_k] = node.pop(k)
+            if esc_k == html_key:
                 # Allow only iframe tag
                 p = IFrameParser()
                 p.feed(v)
-                node[k] = p.iframe
+                node[esc_k] = p.iframe
             else:
-                node[k] = escape_values_recursive(v)
+                node[esc_k] = escape_values_recursive(v)
     elif isinstance(node, list):
         for i, v in enumerate(node):
             node[i] = escape_values_recursive(v)

diff --git a/tiptapy/macros.py b/tiptapy/macros.py
@@ -1,4 +1,5 @@
 import pkgutil
+from html import escape
 from string import Template
 from urllib.parse import urlparse
 
@@ -31,7 +32,9 @@ def handle_links(attrs):
             ):
                 attrs["target"] = "_blank"
                 attrs["rel"] = "noopener nofollow"
-            retval = " ".join(f'{k}="{v}"' for k, v in attrs.items() if v is not None)
+            retval = " ".join(
+                f'{escape(k)}="{escape(v)}"' for k, v in attrs.items() if v is not None
+            )
         return retval
 
     return handle_links